Short answer

Infostealers bypass most forms of MFA by stealing session tokens rather than passwords. This technique is known as session hijacking or pass-the-cookie: the attacker takes a valid session cookie from an infected device and imports it into their own browser, bypassing the login flow entirely. Note: hardware-bound authentication methods such as YubiKey can resist this attack if the session is device-bound, but most enterprise applications do not enforce device binding.

How session token theft works

The attack follows a simple sequence:

• 1. User authenticates normally: the user logs in with their password and completes MFA. The server creates a session token and stores it as a cookie in the browser.

• 2. Infostealer extracts the cookie: the malware reads the browser's cookie storage and copies the session token along with all other stored data.

• 3. Token is sold on a marketplace: the stolen token, along with the rest of the log, is uploaded to a criminal marketplace or Telegram channel.

• 4. Attacker imports the token: the attacker (or buyer) imports the cookie into their own browser. The server recognizes the valid session token and grants access, no login required.

Why MFA alone is not enough

MFA protects the authentication moment: it verifies that the person logging in controls the right device or app. But once authentication is complete, the session token takes over. If that token is stolen and imported elsewhere, the server cannot distinguish between the legitimate user and the attacker. This is the core of the pass-the-cookie attack: the session has already been authenticated, so MFA is never triggered again.

This is fundamentally different from credential theft in a data breach. Stolen passwords can be blocked by MFA. Stolen session tokens bypass most MFA methods, because authentication already happened. The stolen session is what grants access, not the password. Hardware-bound methods like YubiKey can resist this if the session is device-bound, but most applications do not enforce that.

What organizations can do

Defending against session hijacking and pass-the-cookie attacks requires short session lifetimes, device-bound tokens where possible, and conditional access policies that validate device health. But no technical control catches everything. The critical last layer is monitoring: knowing when stolen sessions from your systems are being traded on criminal marketplaces, so you can revoke them before they are used. Passguard monitors these marketplaces continuously and alerts your security team the moment a stolen session linked to your organization appears.